查询字符串的最大可能长度是多少？

发布于 2025-01-21 04:46:16 字数 49 浏览 0 评论 0 原文

它依赖于浏览器吗？另外，不同的Web堆栈对他们从请求中可以获得多少数据有不同的限制？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

旧伤慢歌 2025-01-28 04:46:16

rfc 2616 （超文本传输协议 - http/1.1）查询字符串（第3.2.1节）。 rfc 3986 （统一资源标识符 - uri）也没有限制，但指示由于DNS限制，主机名仅限于255个字符（第2.3.3节）。

虽然规格未指定任何最大长度，但通过Web浏览器和服务器软件强加了实际限制。基于不幸的是，基于其原始网站不再可用的研究（这导致了一个阴暗的贷款网站），但仍然可以在 boutell.com的Internet档案

：//boutell.com/newfaq/misc/urllength.html“ rel =“ noreferrer ”
限制似乎约为81578个字符。请参阅 Microsoft Edge的url长度限制
chrome
它停止在64k字符后显示 URL，但可以提供超过100K字符。除此之外，没有进行进一步的测试。

注意：最大长度实际上是2MB，显示长度为32kb，按照 chromium docs 下面引用的。
firefox（浏览器）
在65,536个字符之后，位置栏不再在Windows Firefox 1.5.x中显示URL。但是，更长的URL将起作用。 100,000个字符后未进行进一步的测试。
Safari（浏览器）
至少有80,000个字符将起作用。除此之外，没有尝试测试。
opera（浏览器）
至少有190,000个字符可以正常工作。 190,000个字符后停止测试。 Windows的Opera 9继续显示一个完全可编辑的
位置栏中的可复制和可糊状的URL，即使是190,000个字符。
Microsoft Internet Explorer（浏览器）
Microsoft指出，Internet Explorer中URL的最大长度为2,083个字符，在URL的路径部分中不超过2,048个字符。尝试使用URL的时间更长的时间超过了Internet Explorer中的明显错误消息。
apache（服务器）
早期尝试测量Web浏览器中最大URL长度撞击到服务器URL长度限制约为4,000个字符的尝试，然后Apache产生了“ 413实体太大”错误。使用了当前的最新Apache构建，在Red Hat Enterprise Linux 4中找到。官方的Apache文档仅提及请求中单个字段的8,192字节限制。
Microsoft Internet信息服务器（服务器）
默认限制为16,384个字符（是的，Microsoft的Web服务器接受的URL比Microsoft的Web浏览器更长）。这是可配置的。
perl http :: daemon（server）
多达8,000个字节将起作用。那些使用Perl的HTTP :: Daemon模块构建Web应用程序服务器的人将对所有HTTP请求标头的组合尺寸遇到16,384个字节限制。这不包括方法后的表单数据，文件上传等，但确实包括URL。实际上，当URL明显超过8,000个字符时，这会导致413个错误。可以轻松删除此限制。查找Daemon.pm中的所有16x1024的出现，并用更大的值替换它们。当然，这确实会增加您对拒绝服务攻击的暴露。

此外，陈述以下内容：

通常，Web平台对长度没有限制
URL（尽管 2^31 是常见的限制）。 Chrome将URL限制为
出于实际原因， 2MB的最大长度2MB 避免引起
拒绝服务间交流中的服务问题。

在大多数平台上，Chrome的OmniBox限制URL显示为 32KB
（ kmaxurldisplaychars ）尽管在VR上使用了 1KB 限制
平台。

We can also confirm that kMaxURLDisplayChars size

const size_t kMaxURLDisplayChars = 32 * 1024;

RFC 2616 (Hypertext Transfer Protocol — HTTP/1.1) states there is no limit to the length of a query string (section 3.2.1). RFC 3986 (Uniform Resource Identifier — URI) also states there is no limit, but indicates the hostname is limited to 255 characters because of DNS limitations (section 2.3.3).

While the specifications do not specify any maximum length, practical limits are imposed by web browser and server software. Based on research which is unfortunately no longer available on its original site (it leads to a shady seeming loan site) but which can still be found at Internet Archive Of Boutell.com:

Microsoft Edge (Browser)
The limit appears to be around 81578 characters. See URL Length limitation of Microsoft Edge
Chrome
It stops displaying the URL after 64k characters, but can serve more than 100k characters. No further testing was done beyond that.
- Note: The maximum length is actually 2MB, and the display length is 32kB, as per the Chromium Docs referenced below.
Firefox (Browser)
After 65,536 characters, the location bar no longer displays the URL in Windows Firefox 1.5.x. However, longer URLs will work. No further testing was done after 100,000 characters.
Safari (Browser)
At least 80,000 characters will work. Testing was not tried beyond that.
Opera (Browser)
At least 190,000 characters will work. Stopped testing after 190,000 characters. Opera 9 for Windows continued to display a fully editable,
copyable and pasteable URL in the location bar even at 190,000 characters.
Microsoft Internet Explorer (Browser)
Microsoft states that the maximum length of a URL in Internet Explorer is 2,083 characters, with no more than 2,048 characters in the path portion of the URL. Attempts to use URLs longer than this produced a clear error message in Internet Explorer.
Apache (Server)
Early attempts to measure the maximum URL length in web browsers bumped into a server URL length limit of approximately 4,000 characters, after which Apache produces a "413 Entity Too Large" error. The current up to date Apache build found in Red Hat Enterprise Linux 4 was used. The official Apache documentation only mentions an 8,192-byte limit on an individual field in a request.
Microsoft Internet Information Server (Server)
The default limit is 16,384 characters (yes, Microsoft's web server accepts longer URLs than Microsoft's web browser). This is configurable.
Perl HTTP::Daemon (Server)
Up to 8,000 bytes will work. Those constructing web application servers with Perl's HTTP::Daemon module will encounter a 16,384 byte limit on the combined size of all HTTP request headers. This does not include POST-method form data, file uploads, etc., but it does include the URL. In practice this resulted in a 413 error when a URL was significantly longer than 8,000 characters. This limitation can be easily removed. Look for all occurrences of 16x1024 in Daemon.pm and replace them with a larger value. Of course, this does increase your exposure to denial of service attacks.

Additionally, the URL Length section of the Chromium Docs Guidelines for URL Display states the following:

In general, the web platform does not have limits on the length of
URLs (although 2^31 is a common limit). Chrome limits URLs to a
maximum length of 2MB for practical reasons and to avoid causing
denial-of-service problems in inter-process communication.

On most platforms, Chrome’s omnibox limits URL display to 32kB
(kMaxURLDisplayChars) although a 1kB limit is used on VR
platforms.

We can also confirm that kMaxURLDisplayChars size in the Chromium source code:

const size_t kMaxURLDisplayChars = 32 * 1024;

回复收藏 0 原文

递刀给你 2025-01-28 04:46:16

建议的安全性和性能最大：2048个字符，

尽管RFC 2616官方没有指定的限制，但许多安全协议和建议指出，服务器上的MaxquerySring应该设置为最大字符限制为1024。包括查询的整个URL，应将其设置为2048个字符的最大值。这是为了防止Web服务器上的慢速HTTP请求DDOS/DOS攻击漏洞。这通常显示为Qualys Web应用程序扫描仪和其他安全扫描仪上的漏洞。

请参阅使用web.config的Windows IIS服务器的以下示例代码：

<system.webServer>
<security>
    <requestFiltering>
        <requestLimits maxQueryString="1024" maxUrl="2048">
           <headerLimits>
              <add header="Content-type" sizeLimit="100" />
           </headerLimits>
        </requestLimits>
     </requestFiltering>
</security>
</system.webServer>

这也将使用Machine.config在服务器级别上工作。

这仅适用于基于Windows操作系统的服务器，我不确定Apache或其他服务器上是否存在类似的问题。

注意：限制查询字符串和URL长度可能无法完全防止慢速HTTP请求DDOS攻击，但这是您可以迈出的一步。

根据评论中的要求添加参考：
https：// www.raiseupwa.com/writing-tips/what-is-the-limit-of-query-string-in-asp-net/

Recommended Security and Performance Max: 2048 CHARACTERS

Although officially there is no limit specified by RFC 2616, many security protocols and recommendations state that maxQueryStrings on a server should be set to a maximum character limit of 1024. While the entire URL, including the querystring, should be set to a max of 2048 characters. This is to prevent the Slow HTTP Request DDOS/DOS attack vulnerability on a web server. This typically shows up as a vulnerability on the Qualys Web Application Scanner and other security scanners.

Please see the below example code for Windows IIS Servers with Web.config:

<system.webServer>
<security>
    <requestFiltering>
        <requestLimits maxQueryString="1024" maxUrl="2048">
           <headerLimits>
              <add header="Content-type" sizeLimit="100" />
           </headerLimits>
        </requestLimits>
     </requestFiltering>
</security>
</system.webServer>

This would also work on a server level using machine.config.

This is just for windows operating system based servers, I'm not sure if there is a similar issue on apache or other servers.

Note: Limiting query string and URL length may not completely prevent Slow HTTP Requests DDOS attack but it is one step you can take to prevent it.

Adding a reference as requested in the comments:
https://www.raiseupwa.com/writing-tips/what-is-the-limit-of-query-string-in-asp-net/

回复收藏 0 原文

小鸟爱天空丶 2025-01-28 04:46:16

不同的Web堆栈确实支持不同长度的HTTP重试。我从经验中知道，早期的Safari仅支持4000个字符，因此由于用户状态而难以处理ASP.NET页面。这甚至是为了发布，因此您必须检查浏览器并查看堆栈限制是什么。我认为即使在较新的浏览器上，您也可能达到极限。我不记得了，但是其中一个（我认为IE6）的限制为16位限制，32,768之类的东西。